Costco IT is responsible for the technical future of Costco Wholesale, the second largest retailer in the world with wholesale operations in twelve countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed. As proof, Costco consistently ranks in the top five of Forbes “America’s Best Employers”.
The role of each Information Security team member is to support the overarching values and business goals of Costco Wholesale, including meeting legal, ethical and regulatory obligations; protecting member privacy; and maintaining a security technology environment for our operations.
Information Security Operation Engineers provide technical and logistical support for internal and external penetration testers, working with internal business team members to conduct service engagements for security testing. Security Engineers perform reviews of system architecture documentation to determine the optimal methods and computing resources required to conduct security assessment and testing of the scoped assets, systems, processes, and/or employees; review scope of work from internal and 3rd party vendors; review the scope of work for an information security or compliance based tests to ensure security best practices are enforced and systems vulnerabilities and exposures are documented, reported and escalated; co-ordinate the setup of testing hosts and resources; mentor other team members with lesser subject matter expertise; consult with business team to discuss remediation options and finding details.
Additionally, this Security Engineer will possess some of the following knowledge and skills. The security engineer should have in-depth knowledge of security software and tools (pentesting tools). They should have solid skills of Windows and Linux operating systems, network design in a Cisco environment, a good understanding of a hybrid cloud architecture along with security best practices.
If you want to be a part of one of the BEST “to work for” companies in the world, simply apply and let your career be reimagined.
- Works with Compliance, Internal Audit, Business teams, and internal and external penetration testing vendors to scope configure and validate solutions to support penetration testing.
- Works with Information System Owners and Administrators to understand their security needs and assists with implementing practices and procedures consistent with Costco’s security policies.
- Guides internal Information Systems Teams to setup and maintain testing hosts, infrastructure, and software for penetration testing engagements.
- Works with Incident Response team as necessary to consult on discovered security incidents by informing appropriate custodians, determining root cause, and actions (if necessary) required to re-establish respective information system security.
- Works with stakeholders to design security engagements to test or assess their systems and business requirements.
- Assumes a leadership role in advocating internally and externally for security measures to protect cloud-based applications and environments.
- Documents security findings from pentesting engagements and reports the risks of those findings to the business and management.
- Works with business teams to identify remediation solutions to security findings.
- Builds and maintains pentesting vendor partnerships to further Costco’s mission and goals.
- Implements and oversees vendor access to the Costco environment in support of pen tests engagements. This includes network, application and rights management.
- Liaison between international sites and the business with internal and external penetration testers.
- Researches and remains up to date with emerging threats and Threat Emulation methodologies. Maintains current knowledge of industry trends and standards in information security.
- Participates in team activities and team planning in regards to improving team skills, awareness and quality of work.
- Responsible for continued personal growth in the areas of technology, business knowledge, and Costco policies and platforms.
- Demonstrates a logical and structured approach to time management and task prioritization.
- Creates new tools to support pen tests efforts.
- Mentors team members.
- Develops and documents standards and best practices.
- Design, develop, document, optimize, automate and implement Windows, Linux, virtual lab environments, virtual and cloud solutions that support penetration testing.
- Collaborate with team members, vendors, IT teams and project teams to define and implement solutions to achieve penetration testing objectives.
- 3+ years’ System Administration experience supporting Windows, Linux, virtual and cloud environments.
- Understanding of security issues for desktop, virtual, cloud services and network infrastructures.
- Experience with some of the tools listed below: Kali Linux, Metasploit, Burp suite, Cobalt Strike, Tenable Nessus, Web Inspect, IDA PRO, Wireshark.
- Able to automate tasks and script at a basic level.
- Experience with one or more scripting languages.
- Experience with Windows, Linux and cloud environment testing.
- Experience in IT systems and security policies, standards, industry trends, and techniques.
- Demonstrate a logical and structured approach to time management and task prioritization.
- Able to handle highly confidential information in a strictly professional manner.
- Experience with secure network protocols and encryption of communications between networked hosts.
- Experience working with hybrid cloud infrastructures.
- Working understanding of security assessment frameworks such as PCI, HIPAA, GDPR, etc.
- Thorough understanding of the OSI model, as well as IPv4/IPv6 protocol suite.
- Working knowledge of information systems security standards/practices (e.g., access control and system hardening, system audit and log file monitoring, security policies, and incident handling).
- Must be detail-oriented and possess strong problem-solving skills and ability to analyze for potential future issues.
- Demonstrate a high level of communication skills, verbal and written.
- Experience with assessing APT threats, Penetration Testing, Vulnerability Management, attack methodologies, forensics analysis techniques, malware analysis, attack surface comprehension, Cyber Threat Emulation operations, Cyber Advanced Threat Emulation Team operations and research, identification, and/or verification of new APT TTPs.
- Fundamental understanding of security knowledge of testing mobile, native applications, web applications, distributed and database systems.
- One or more professional audit or security certifications such as CISA, GSEC, CEH, and/or CISSP (or equivalent experience).
- A relevant degree or equivalent, and/or proven operational experience.